Attacks and Vulnerabilities
Control device security
Critical infrastructure
ICS Security Framework
Industrial Cyber Attacks
Malware, Phishing & Ransomware
News
Reports
Threat Landscape

Dutch report exposes expanded COATHANGER campaign, as cyber espionage campaign targets edge devices

June 12, 2024
Dutch report exposes expanded COATHANGER campaign, as cyber espionage campaign targets edge devices

Following the February report by the Dutch National Cyber Security Centre (NCSC) on the advanced COATHANGER malware targeting FortiGate systems, further investigation by the Dutch Military Intelligence and Security Service (MIVD) and the Dutch General Intelligence and Security Service (AIVD) has revealed that the associated Chinese cyber espionage campaign is more extensive than initially recognized. In response, the NCSC is urging increased vigilance concerning this campaign and the exploitation of vulnerabilities in edge devices. To aid in these efforts, the NCSC has created a factsheet that provides detailed information on edge devices, outlining the associated challenges and offering recommendations.

The MIVD disclosed on Tuesday that hackers exploited a vulnerability in FortiGate devices, gaining access to over 20,000 units worldwide within a few months across 2022 and 2023. According to MIVD’s annual report, the COATHANGER spy software discovered on FortiGate devices at the Ministry of Defence led to the compromise of similar devices globally.

Further investigation indicates that the actor was aware of the exploited vulnerability CVE-022-42475 at least two months prior to the disclosure of the vulnerability. During this zero-day period alone, the actor infected as many as 14,000 devices. The targets included dozens of Western governments and diplomatic institutions as well as numerous companies operating in the defense industry. 

The COATHANGER malware has been identified as ‘stealthy and persistent. It hides itself by hooking system calls that could reveal its presence. It survives reboots and firmware upgrades.’ Additionally, Dutch agencies assess that the use of COATHANGER may be relatively targeted. The Chinese threat actor(s) scan for vulnerable edge devices at scale gain access opportunistically, and likely introduce COATHANGER as a communication channel for select victims. 

Although this incident started with the abuse of CVE-2022-42475, the COATHANGER malware could conceivably be used in combination with any present or future software vulnerability in FortiGate devices. Post compromise, the actor conducted reconnaissance of the R&D network and exfiltrated a list of user accounts from the Active Directory server. The impact of the intrusion was limited because the victim network was segmented from the wider MOD networks.

The COATHANGER malware also provides access to compromised FortiGate devices after installation. The implant connects back periodically to a Command and Control (C&C) server over SSL, providing a BusyBox reverse shell. Notably, the COATHANGER implant is persistent, recovering after every reboot by injecting a backup of itself in the process responsible for rebooting the system. Moreover, the infection survives firmware upgrades. Even fully patched FortiGate devices may therefore be infected, if they were compromised before the latest patch was applied.

“The state actor subsequently installed malware at a later stage if a target was considered to be relevant. This afforded the actor permanent access to the system, even if the victim installed the FortiGate updates,” the agency added. “It is unknown how many of these FortiGate devices that were hacked during this initial period were actually subjected to the subsequent operations by the actor.” 

However, the Netherlands intelligence and security services and the NCSC deem it probable that the hacker was potentially able to expand access and carry out additional actions, such as data theft, potentially affecting hundreds of victims worldwide.

Even with the published technical report on the COATHANGER malware, detecting and mitigating infections by the state actor remains challenging. The Netherlands intelligence and security services and the NSC therefore deem it possible that the actor currently has continued access to the systems of a significant number of victims.  

The Ministry of Defence (MOD) of the Kingdom of the Netherlands was impacted in 2023 by an intrusion into one of its networks. The effects of the intrusion were limited because the victim network was segmented from the wider MOD networks. The victim network had fewer than 50 users. Its purpose was research and development (R&D) of unclassified projects and collaboration with two third-party research institutes. These organizations have been notified of the incident.

The Dutch intelligence and security services observe a trend in attacks on edge devices such as firewalls, VPN servers, routers, and email servers. Due to the security challenges associated with these devices, they have become prime targets for malicious actors. Positioned at the periphery of the IT network, edge devices often have direct connections to the internet and are frequently not supported by endpoint detection and response (EDR) solutions.

The initial compromise of an IT network is difficult to prevent if an actor is exploiting a zero-day vulnerability. It is important for organizations to, therefore, adopt the ‘assume breach’ principle, which acknowledges that a successful digital attack has already occurred or is imminent. Based on this principle, measures are taken to mitigate damage and impact, including implementing segmentation, detection, incident response plans, and forensic readiness.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

Webinar: A Sense of Urgency - Industrial Cybersecurity and Compliance Under the NIS2 Directive

Register: June 27, 2024 2pm CET

http://industrialcyber.co

Related

House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
Broadcom's Symantec solutions achieve IRAP certification, meeting Australian government standards
Broadcom’s Symantec solutions achieve IRAP certification, meeting Australian government standards
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA's ICSNPP Parsers
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA’s ICSNPP Parsers
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
US CISA issues ICS cybersecurity advisories for Emerson, Mitsubishi Electric, Johnson Controls equipment
CISA warns of path traversal vulnerability in RAD Data’s SecFlow-2 hardware
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix
NHS updates on disruptions, potential data breach following London lab ransomware attack
NHS updates on disruptions, potential data breach following London lab ransomware attack